aws_iam_root_user

Use the aws_iam_root_user InSpec audit resource to test properties of the root user (owner of the account).

To test properties of all or multiple users, use the aws_iam_users resource.

To test properties of a specific AWS user use the aws_iam_user resource.


Availability

Installation

This resource is distributed along with InSpec itself. You can use it automatically.

Version

This resource first became available in v2.0.16 of InSpec.

Syntax

An aws_iam_root_user resource block requires no parameters but has several matchers.

describe aws_iam_root_user do
  it { should have_mfa_enabled }
end


Examples

The following examples show how to use this InSpec audit resource.

Test that the AWS root account has at-least one access key

describe aws_iam_root_user do
  it { should have_access_key }
end

Test that the AWS root account has Multi-Factor Authentication enabled

describe aws_iam_root_user do
  it { should have_mfa_enabled }
end


Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our matchers page.

have_mfa_enabled

The have_mfa_enabled matcher tests if the AWS root user has Multi-Factor Authentication enabled, requiring them to enter a secondary code when they login to the web console.

it { should have_mfa_enabled }

have_hardware_mfa_enabled

The have_hardware_mfa_enabled matcher tests if the AWS root user has Hardware Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.

it { should have_hardware_mfa_enabled }

have_virtual_mfa_enabled

The have_virtual_mfa_enabled matcher tests if the AWS root user has Virtual Multi-Factor Authentication device enabled, requiring them to enter a secondary code when they login to the web console.

it { should have_virtual_mfa_enabled }

have_access_key

The have_access_key matcher tests if the AWS root user has at least one access key.

it { should have_access_key }

AWS Permissions

Your Principal will need the iam:GetAccountSummary action with Effect set to Allow.

You can find detailed documentation at Actions, Resources, and Condition Keys for Identity And Access Management.